Problems in PCRE, the Linux Kernel, and SILC

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PCRE, the Linux kernel, SILC, Frox, MPlayer, pam_ldap, maildrop, lm_sensors, simpleproxy, backup-manager, Adobe Version Cue, phpGroupWare, and webcalendar.

PCRE

PCRE, the Perl Compatible Regular Expressions library, is vulnerable to a buffer overflow that could result in arbitrary code being executed with the permissions of the user running the application linked against the library. PCRE is reported to be used by Analog, Python, PHP, gnumeric, KDE, Apache, Postfix, maildrop, nmap, Onyx, and Hypermail.

All users of PCRE should upgrade to version 6.2 or newer and should watch
for new versions of any application that us linked against PCRE.

Linux Kernel Problems

Multiple security-related problems have been fixed in the Linux kernel. These
problems include decompression of files on zisofs filesystems, buffer overflow
in zlib decompression, buffer overflow in sock->sk_policy, and a bug in
the S/390 specific kernel that could be exploited by a local user to power
on and off partitions.

Users should watch their vendors for an up-to-date version of the kernel. Updated
kernels have been released for SuSE Linux 9.1, 9.2, and 9.3; SUSE Linux Enterprise
Server 9; and Novell Linux Desktop 9.

SILC

SILC, Secure Internet Live Conferencing, is reported to be vulnerable to a
temporary-file symbolic-link race condition that may be exploitable by a local
attacker to overwrite arbitrary files on the system with the victim's permissions.
Version 1.0 of the SILC server and version 0.9.12-r3 of the SILC toolkit are
reported to be vulnerable.

Affected users should watch for a repaired version of SILC.

Frox

Frox is a transparent FTP proxy for FreeBSD. A reported bug in Frox would
allow any user to read any file on the system.

It is recommended that Frox be disabled until it has been repaired.

MPlayer

MPlayer is a Linux and Unix multimedia player that supports multiple formats,
including MPEG, VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM,
NuppelVideo, YUV4MPEG, FILM, RoQ, and PVA. A vulnerability in the code that
handles strf chunks in PCM audio streams may be exploitable by a remote attacker
who creates a video or audio file that will cause arbitrary code to be executed
when the victim plays the file in MPlayer.

All users should upgrade to a repaired version as soon as possible. Gentoo
has released a repaired version. A possible work around is to add ac=-pcm to
the MPlayer configuration file. Making this change will disable MPlayer's ability
to play uncompressed audio.

pam_ldap

pam_ldap, a Pluggable Authentication Module that authenticates to a LDAP server,
will under some conditions authenticate connections that it should have denied
and allow an attacker to bypass security restrictions.

Every user of pam_ldap should upgrade as soon as possible to pam_ldap-180
or newer.

maildrop

The mail delivery agent maildrop may, under some conditions, be vulnerable to
an attack that can result in arbitrary code being executed with the mail group's
permissions.

Users should watch their vendors for a repaired version of maildrop. Debian
has released patched versions of maildrop.

lm_sensors

lm_sensors provides monitoring of temperature, voltage, and fan status of
a Linux machine. The pwmconfig script included with lm_sensors is reported
to be vulnerable to a temporary-file symbolic-link based race condition that
may be useable by a remote attacker to overwrite arbitrary files on the system
with, in most cases, root permissions.

It is recommended that lm_sensors be disabled on multi-user systems until
this vulnerability has been corrected by upgrading to version 2.9.1 or newer.

simpleproxy

simpleproxy, a TCP-based proxy server, is reported to have a format-string-based vulnerability that may be exploitable by a remote attacker to execute
arbitrary code with the permissions of the user account running simpleproxy.

All users of simpleproxy should upgrade to version 3.4 as soon as possible
and should consider disabling it until it can be upgraded.

backup-manager

The command line tool backup-manager is reported to contain two vulnerabilities:
backup files are created with world-readable permissions, allowing an attacker
to view files in the backup that may not be viewable on the system; and a temporary-file symbolic-link race condition when backup-manager is used to back up
files to a CD.

Affected user should upgrade to version 0.5.8b or newer of backup-manager
as soon as possible.

Adobe Version Cue

The Mac OS X version of Adobe Version Cue is vulnerable to a local attack
that can result in arbitrary code being executed with root permissions. Also,
Adobe Version Cue is vulnerable to a temporary-file symbolic-link race
condition that can be exploited to overwrite arbitrary files on the system
with root permissions. Adobe Version Cue is a software version-tracking system
that is part of Adobe Creative Suite and other Adobe products. Code to automate
the exploitation of these vulnerabilities has been released to the public.

Users of Adobe Version Cue should apply the update available from Adobe. A
possible work around is to remove the set user id bit from the VCNative utility.

phpGroupWare

phpGroupWare is a web-based application that includes a calendar, address
book, to do list, email, wiki, and news headlines. Several vulnerabilities
have been found in phpGroupWare that may be exploitable under some conditions
to execute arbitrary PHP code, or in cross-site scripting attacks.

All users of phpGroupWare should upgrade to version 0.9.16.008 as soon as
possible.

webcalendar

webcalendar is reported to be vulnerable to an unspecified problem that can
be trivially exploited by a remote attacker to execute arbitrary code with
the permissions of the user account running the web server.

Affected users should watch for a repaired version from their vendors and should
consider disabling webcalendar until it has been repaired. Debian has released
packages for sarge.